Abstract

Since hundreds of certificate authorities (CAs) can issue browser-trusted certificates, it can be difficult for domain owners to detect certificates that have been fraudulently issued for their domain. Certificate Transparency (CT) is a recent standard by the Internet Engineering Task Force (IETF) that aims to construct public logs of all certificates issued by CAs, making it easier for domain owners to monitor for fraudulently issued certificates. To avoid relying on trusted log servers, CT includes mechanisms by which monitors and auditors can check whether logs are behaving honestly or not; these mechanisms are primarily based on Merkle tree hashing and authentication proofs. Given that CT is now being deployed, it is important to verify that it achieves its security goals. In this work, we define four security properties of logging schemes such as CT that can be assured via cryptographic means, and show that CT does achieve these security properties. We consider two classes of security goals: those involving security against a malicious logger attempting to present different views of the log to different parties or at different points in time, and those involving security against malicious monitors who attempt to frame an honest log for failing to include a certificate in the log. We show that Certificate Transparency satisfies these security properties under various assumptions on Merkle trees all of which reduce to collision resistance of the underlying hash function (and in one case with the additional assumption of unforgeable signatures).

Notes

Acknowledgements

Benjamin Dowling and Douglas Stebila are supported by Australian Research Council (ARC) Discovery Project grant DP130104304. Felix Günther is supported by the DFG as part of project S4 within the CRC 1119 CROSSING.

Proof

By definition of \(\mathsf {OTick}\) (cf. Fig. 7), the simulated honest logger will keep track of any promise \(P\) issued through \(\mathsf {OPromiseEntry}\) and will include the \(P\) through \(\mathsf {OUpdateLog}\) by time \(T = P.t + \mathsf {MMD}\). As in particular \(\mathsf {MMD}> 0\), this ensures that any fingerprint issued by the honest logger at time \(T' \ge T\) will include the promised entry \(P.e\).

Assume \(\mathcal {A} \) wins by outputting \((F, P, \vec {E})\), i.e., \(F\) is a valid fingerprint representing entries \(\vec {E}\) and \(P\) is a promise for an entry \(e\notin \vec {E}\) although \(P.t + \mathsf {MMD}\le F.t\). This means either one of the promise \(P\) or the fingerprint \(F\) (or both) were not issued by the simulated honest logger through an invocation of \(\mathsf {OPromiseEntry}\) or \(\mathsf {OUpdateLog}\), or that \(\mathcal {A} \) repeated an honest \(F\) that matches an entry list \(\vec {E}\) different from the entry list \(\vec {E}'\) hold by the honest logger when creating the fingerprint.

For the first case, we show how this allows constructing a signature forgery attacker \(\mathcal {C} \) against the \(\mathsf {euf\text {-}{}cma}\) security of \(\mathtt {SIG}\), which works as follows. First of all, \(\mathcal {C} \) creates an initial state with empty list of entries. It then simulates experiment \(\mathrm {Exp}^{\mathsf {promise\text {-}{}incl}}_{\mathtt {CT}_{\mathrm {H},\mathtt {SIG}},\mathsf {MMD}}\) for \(\mathcal {A} \), providing the public key \(pk\) from its \(\mathsf {euf\text {-}{}cma}\) game as input for \(\mathcal {A} \). It furthermore uses its \(\mathsf {euf\text {-}{}cma}\) signing oracle \(\mathsf {OSign} \) when required to generate a signature in the simulations of the \(\mathsf {OPromiseEntry}\) and \(\mathsf {OUpdateLog}\) oracles and keeps a list of all the values queried to the signing oracle.

If \(\mathcal {A} \) halts (outputting \((F, P, \vec {E})\)) and wins, as argued above, at least one of \(P\) or \(F\) was not output through \(\mathcal {C} \)’s simulation of \(\mathsf {OPromiseEntry}\) and \(\mathsf {OUpdateLog}\) (as we excluded the case of a Merkle-tree hash collision). Hence, in particular, the according value was not queried to the \(\mathsf {euf\text {-}{}cma}\) signing oracle, so \(\mathcal {C} \) checks which of the two values is not contained in its list of queries and outputs this as its valid signature forgery. \(\square \)